popup

Report - rockss.exe

UPX Malicious Library Malicious Packer AntiDebug AntiVM PE File PE32 OS Processor Check PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.09.18 16:39 Machine s1_win7_x6403
Filename rockss.exe
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
AI Score
1
 Behavior Score
8.4
ZERO API file : malware
VT API (file) 48 detected (AIDetectMalware, Fabookie, Razy, GenericRXTF, Save, malicious, Lazy, Eldorado, Attribute, HighConfidence, high confidence, score, Lzfl, moderate, Tnega, 10AFFS0, Redline, ASAO, Detected, R497632, BScope, Nitol, ai score=85, unsafe, Genetic, AMADEY, YXDIRZ, DcRat, BNER4NzZWDL, Static AI, Suspicious PE, susgen, Tiny, ZexaF, @tW@aGbz1sli, confidence, 100%)
md5 b32d5a382373d7df0c1fec9f15f0724a
sha256 010fe481ba6275ebbf71e102e66d73f5d819252f2b4b1893d2acf53c04f4200f
ssdeep 98304:1baEG/yFFxGJ2sdlCVRdjvIp+CF0GYI8opL4wnZ8Hs:1rG/wGosdmpQI0YIp4NM
imphash a9c887a4f18a3fede2cc29ceea138ed3
impfuzzy 6:HMJqX0umyRwXJxSBS0H5sD4sIWDLb4iPEcn:sJqpRSY58PLPXn
  Network IP location

Signature (16cnts)

Level Description
danger File has been identified by 48 AntiVirus engines on VirusTotal as malicious
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Detects Avast Antivirus through the presence of a library
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice One or more potentially interesting buffers were extracted
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (16cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
z.nnnaajjjgc.com
whois
US HK Kwaifong Group Limited 156.236.72.121 malware
156.236.72.121
whois
US HK Kwaifong Group Limited 156.236.72.121 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure

PE API

IAT(Import Address Table) Library

msvcrt.dll
 0x8a4880 malloc
 0x8a4884 memset
 0x8a4888 strcmp
 0x8a488c strcpy
 0x8a4890 getenv
 0x8a4894 sprintf
 0x8a4898 fopen
 0x8a489c fwrite
 0x8a48a0 fclose
 0x8a48a4 __argc
 0x8a48a8 __argv
 0x8a48ac _environ
 0x8a48b0 _XcptFilter
 0x8a48b4 __set_app_type
 0x8a48b8 _controlfp
 0x8a48bc __getmainargs
 0x8a48c0 exit
shell32.dll
 0x8a48c8 ShellExecuteA
kernel32.dll
 0x8a48d0 SetUnhandledExceptionFilter

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure